Issue in combination with BetterAuth

[laeckerv]

Hi,

I’ve set up Traefik, Keycloak, and traefik-oidc-auth, and I’m trying to authenticate one of my services which is a Next.js application that uses BetterAuth for the authentication part.

What works:
If I disable traefik-oidc-auth, BetterAuth is able to authenticate directly with Keycloak without any issues.

What doesn’t work:
When I access a route protected by the traefik-oidc-auth middleware, I get redirected to Keycloak as expected, and after a successful login, I’m redirected back to the Next.js app (with the correct callback URL).
However, I then receive the following error:

ERROR [Better Auth]: State Mismatch. OAuth state cookie not found

This makes sense, since the authentication flow wasn’t initiated by BetterAuth, so the state cookie never existed.

My understanding is that the state cookie is required so the app can verify that the callback corresponds to an authentication request it originally initiated.

Given this, I’m unsure whether traefik-oidc-auth should be responsible for setting such a state cookie, or if this is something I should raise as an issue/discussion in the BetterAuth repository.
Or perhaps I’m misunderstanding something altogether?

[laeckerv]

I just realized from this question that i might have a missunderstanding.

my traefik rule was

• traefik.http.routers.landing_page_demo.rule=Host(${BASE_DOMAIN}) && PathPrefix(/demo)

and in the middleware i had the callback set to

• CallbackUri: "/api/auth/oauth2/callback/keycloak (this is where betterauth is awaiting the callback)

as i thought my app would be responsible for handling the callback.

Thats not correct, right? the oidc middleware deals with the callback via some "overlay magic"?

[sevensolutions]

Yes exactly, the middleware provides an overlay-route for handling the callback. So requests to the CallbackUri are handled by the middleware itself and are never forwarded to the upstream service.
You also need to make sure that the request ist forwarded to the middlewar.
So if you for example constrain the router to PathPrefix(/demo) but configure the CallbackUri to be /api/auth/oauth2/callback/keycloak, it will never reach the middleware.
If you only want to secure a sub-route of your app, you can have a look here: https://traefik-oidc-auth.sevensolutions.cc/docs/config-samples/secured-sub-route

[sevensolutions]

I don't really know BetterAuth but isn't this a full authentication solution for Next.js, handling the whole authentication flow/state cookies etc. on it's own?
This plugin is a different solution which also handles the authentication but transparently to the upstream application.
So basically it is meant to secure applications which do not provide authentication on their own. Eg. static websites.
Therefore the plugin handles the entire auth flow including cookie management but you can forward some user context via header values to your upstream app in case you want to know "who" is logged in.

[laeckerv]

Thank you very much for your response. I really had a misunderstanding here. I changed the setting to let the middleware handle the whole auth process. Works great. Thank you!